The present invention relates to a network system and more particularly to an apparatus and method for distributing a central policy to distributed egress points on an enterprise network.
Many companies, governmental agencies and other organizations (collectively “enterprises”) are interested in having employees and others, such as consultants and business partners, work from remote locations rather than be physically present at a particular enterprise facility. Teleworking, the concept of using advanced communication technology to enable business to be conducted from locations remote from the enterprise's facility, is increasingly popular as high bandwidth internet access becomes widely available. Indeed, as the cost of maintaining office space, travel and fuel escalate, enterprises find that teleworking generates substantial savings and is widely popular with employees and business contacts (collectively ‘agents’).
Teleworking is wholly dependant on the ability to enable access to an enterprise's proprietary network for voice, data and multimedia applications from remote locations. With the increased availability of high speed Internet and voice over Internet protocol (VOIP) technology, agents can both access the enterprise's computer systems and communication network as if they were working from the enterprise's office. A remote office, such as at an agent's home, provides great benefit for both the enterprise and the agent because the enterprise saves the money it would normally spend on leasing office space and the agent saves the time normally spent commuting.
Many enterprises supply VOIP technology that can be used by the agent. For example, Cisco Systems, Inc. of San Jose, Calif., the assignee of the present application, currently markets voice and video enabled VPN (V3PN) solutions that integrate cost-effective, secure connectivity provided by site-to-site IPSec VPNs for delivering converged voice, video, and data IP networks. V3PN is typically a site-to-site deployment using T1 lines and the Internet so voice quality is similar to that of a toll call. When design guidelines for IPSec over ADSL are followed, a caller cannot hear a difference in voice quality when the IP telephone is connected from the employee home over a broadband connection. IPSec refers to an IP security protocol developed by the Internet Engineering Task Force (IETF), the main standards organization for the Internet, to support secure exchange of packets at the IP layer. IPSec has been deployed widely to implement Virtual Private Networks (VPNs). ADSL refers to Asymmetric Digital Subscriber Lines that are used to deliver high-rate digital data over existing ordinary phone-lines. ADSL facilitates the simultaneous use of normal telephone services and high speed data transmission rates of about 1.5 to 9 megabits per second (Mbps) when receiving data (known as the downstream rate) and from 16 to 640 kilobits per second (Kbps) when sending data (known as the upstream rate).
Typically, enterprise IPSec deployments rely on non-split tunnel configurations to force agent Internet access through the enterprise's campus head-end. In this configuration, enterprise policies for blocking access to selected web site addresses are centrally administered. One common technique for blocking access is popularly referred to as a black hole shunt. A “black hole shunt” forwards malicious packet traffic to a router's bit bucket or a null route rather than forwarding it on to the designated destination.
This configuration, however, introduces additional latency for accessing Internet sites for the agent's router as all the traffic from each agent is routed to the head-end. Additional loading on the head-end and Internet WAN links occurs because most enterprises also encrypt the traffic between the enterprise and the agent's router and this encrypted traffic must be handled even if the public web site is the ultimate destination. To illustrate, in a typical network system, a portion of the packet traffic is destined for the enterprise and the remaining portion is to be forwarded on to an Internet server. The requirement to force all packets via the IPSec tunnel to the head-end results in the inefficient utilization of the IPSec tunnel bandwidth simply to apply a central policy.
Other problems arise with this configuration when fake e-mails, commonly referred to as “phishing” e-mails, from fraudulent aliases are delivered to agents and internal e-mail aliases. When phishing e-mails are discovered, an enterprise typically must add the destination of the phishing information to a list of “blackholed” or prohibited addresses to keep agents from accessing the site. In addition, the enterprise and the ISP responsible for the destination IP have to cooperate to make sure that the rogue website is taken offline. A rogue website refers to a website on a host server that is programmed to achieve a mischievous or malicious end result.
What is needed is a configuration that can dynamically propagate the list of “blackholed” website addresses in a split tunnel configuration from the enterprise head-end to each remote agent router. What is also needed is a system and a method that can efficiently distribute a central policy to distributed egress points from the enterprise network rather than moving agent packet traffic to the head-end before egress to the Internet.